Security Basics mailing list archives
RE: RE: Incident response to being scanned
From: "Security News" <security () riggstar com>
Date: Sun, 27 Apr 2003 01:15:21 -0400
yeah, its tempting to just go ahead and block the source address, but because most of these guys either have a dynamic address from their ISP, you really don't want to block other users that may inherit that address, so it's best to just copy your logs and send it to their ISPs abuse email. -----Original Message----- From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net] Sent: Saturday, April 26, 2003 5:14 AM To: security () riggstar com Cc: security-basics () securityfocus com Subject: Re: RE: Incident response to being scanned Yes. All patched, behind a sound firewall and IIS Lockdown. It's a static site so URLScan works like a champ.
From: "Security News" <security () riggstar com> Date: 2003/04/26 Sat AM 01:53:22 EDT To: "Bob Kelley" <b0bk3ll3yjr () adelphia net> Subject: RE: Incident response to being scanned Heck yeah, report those folks to their ISPs. Also, is your webserver
locked
down, and I don't only mean security patches? -----Original Message----- From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net] Sent: Friday, April 25, 2003 1:16 AM To: security-basics () securityfocus com Subject: Incident response to being scanned In reviewing my firewall and web server logs, I see repeated attempts from several ip addresses to scan my network as well as infect my webserver
with
code red. The source addresses are not always the same. I am confident that I don't have any holes in my firewall and my webserver is up to
date.
I perform weekly vulnerability scans of my equipment to make sure I am covered. What is considered the best practice for dealing with these incidents? Should I be filing abuse reports with the ISPs of the source IPs? This obviously takes time. I am looking for a business case to justify the time spent responding. Thanks --------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
- RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)